Attribution Models & Frameworks

Cyber attribution is very difficult, and yet there is no standardized method for the attribution process. While the attribution model and framework presented here are not an exhaustive list, this survey of current literature and practices will help journalists understand the process and nuances of attribution, so that they are better equipped to question an attribution before reporting on it.

The Q Model 

Introduced in Thomas Rid and Ben Buchanan’s seminal paper “Attributing Cyber Attacks,” the Q Model emphasizes that attribution doesn’t have one linear path. The goal is to provide technical details and methods used for an attribution to help officials raise more informed questions and stress-test the conclusions, and to improve public cybersecurity conversations. The model is seen, according to Clement Guitton in “Inside the Enemy’s Computer,” as the most “comprehensive, albeit imperfect, model for attribution yet.”

The Q Model: The outer level, in black, is tactical; the middle level, in grey, is operational; and the inner level, in white, is strategic. The final level is the “hook” of the Q: communication. For example, questions analysts may ask can be broken down by levels: “what” and “how” are tactical; “who” is operational; and “why” is strategic. The answer to those three questions are then used to communicate to various audiences. 

The Q Model highlights that the quality of attribution is a function of the team’s questions, methods and overview of the entire process. It provides a helpful structure for thinking of each of these components at three levels of the investigative process: 

  • Tactical/Technical Level: Raising technical questions on what/how the attack happened. Assessing the technical evidence such as the indicators of compromise, point of entry, payload, network activity and others. 
  • Operational Level: Understanding the higher-level architecture of what happened through a synthesis of information to discover who was responsible for the attack. This includes assessing the technical sophistication of the attack, comparing it to known capabilities of state and non-state actors, and understanding the geopolitical context of an event.
  • Strategic Level: Determining why the attack was done. This level requires stress-testing developing conclusions, trying to understand the rationale of an intrusion and determining if the series of events set a meaningful precedent. 
  • Communication Level: How the attribution should be communicated. The model argues for communicating more details, estimative language and limitations of the analysis, which enables a better collective defense, increases the credibility of the attribution and improves the attribution itself. While not explicitly stated in the model, journalists are an integral part of the communication level.
  • Focuses too much on attribution for cases that pose a national security threat, and not those of criminal cyber intrusions, as noted by Clement Guitton in “Inside the Enemy’s Computer.”
  • There are benefits of public attribution by states in some cases, but Andrew Grotto argues that sometimes public attribution is not needed to deter an adversary. 

Analytical Attribution vs. Strategic Attribution Framework

In “Deconstructing Cyber Attribution: A Proposed Framework and Lexicon,” Andrew Grotto proposes a new framework for attribution that focuses on the goals of the entity making the attribution. Grotto noticed that these entities, when making attributions, may have different evidentiary standards, estimative language, targeted audiences and ultimate aims. A private cybersecurity researcher, for example, will approach making and communicating an attribution differently than a government agency. These differences in content and form, Grotto argues, are a result of what an entity wants to achieve with an attribution claim. 

Grotto proposes a framework that highlights two key subsets of attributions: analytical attribution and strategic attribution. Analytical attribution relies mainly on technical artifacts and all-source intelligence. Strategic attribution is then what is done with that analytical attribution, which is influenced by the political and economic consequences of making an attribution claim. 

Grotto breaks down strategic attribution into three modes: private, selective and public — three different degrees to which analytical attribution is shared to third parties. 

  • Private attribution: Deciding not to disclose an analytical attribution to third parties.
  • Selective attribution: Deciding which components of the analytical attribution to disclose to select third parties.
  • Public attribution: Deciding to make the analytical attribution more or less publically available. 

Strategic attribution for both state and non-state entities, Grotto writes, is therefore guided by “which mode advances the decision maker’s interests,” such as a state sharing their analytical attribution with only a subset of stakeholders who might be at risk of an attack. 

With this model in mind, journalists can judge the attribution information they receive in light of the organization providing it. They can question why some would decide to withhold details about attribution — and what that organization might hope to get out of making the attribution public in the first place.